top of page
AdobeStock_69523090.jpeg

How to

Establish and Maintain an Enterprise Process for Reporting Incidents

- SafeGuard 17.3

Here's a step-by-step guide to establish and maintain an enterprise process for the workforce to report security incidents, as per the requirements in CIS Control 17 - Incident Response Management, Implementation Group 1 (IG1):

 

Step 1: Define Incident Reporting Policies and Requirements:

  1. Clearly define what constitutes a security incident within your organization. Examples could include data breaches, malware infections, unauthorized access, and more.

  2. Specify the reporting timeframe. Determine how quickly incidents need to be reported upon discovery.

  3. Identify the personnel to whom incidents should be reported. This could include the IT department, the security team, and designated incident response personnel.

 

Step 2: Mechanism for Reporting:

  1. Choose mechanisms for reporting incidents that are easily accessible to all employees. Options might include email, dedicated incident reporting software, phone hotline, or a web-based reporting form.

  2. Ensure that reporting mechanisms are available 24/7 to accommodate incidents that occur outside of regular business hours.

 

Step 3: Minimum Information to be Reported:

  1. Define the minimum information that employees need to provide when reporting an incident. This might include:

    • Date and time of incident discovery

    • Description of the incident

    • Location or system affected

    • Any potential impact on data, systems, or operations

    • Names of individuals involved (if known)

  2. Emphasize the importance of accuracy and completeness in incident reporting.

Remember that maintaining open lines of communication and continuous improvement are key components of an effective incident reporting process.

Step 4: Create a Publicly Available Process:

  1. Develop a clear and concise document outlining the incident reporting process. Make sure it's written in plain language for easy understanding by all employees.

  2. Publish this document on your organization's intranet, employee portal, or other accessible platforms. Consider sending it as part of employee onboarding materials and including it in cybersecurity awareness training.

 

Step 5: Annual Review and Updates:

  1. Schedule an annual review of the incident reporting process. During this review, assess whether the process is still effective and relevant.

  2. Revise the process as necessary based on changes in technology, threats, and the organization's structure.

  3. Additionally, review the process when significant changes occur within the organization that could impact incident reporting, such as mergers, acquisitions, or changes in leadership.

Step 6: Communicate and Train:

  1. Communicate the incident reporting process to all employees through regular internal communications, such as newsletters, email reminders, or town hall meetings.

  2. Conduct cybersecurity awareness training sessions to educate employees about the process, reporting mechanisms, and the importance of prompt reporting.

 

Step 7: Incident Response Team Preparation:

  1. Assemble an incident response team consisting of representatives from IT, security, legal, communications, and management.

  2. Define roles and responsibilities within the incident response team for handling reported incidents.

Step 8: Testing and Exercises:

  1. Conduct tabletop exercises to simulate incident scenarios and test the effectiveness of the reporting process and response procedures.

  2. Use the lessons learned from exercises to refine the incident reporting process and improve incident response coordination.

By following these steps, you'll establish a robust incident reporting process that aligns with the requirements of CIS18 Controls. Remember that maintaining open lines of communication and continuous improvement are key components of an effective incident reporting process.

bottom of page